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INFORMATION 


High  Level  Summary 


The  web  is  “stateless”  - the  browser  does  not  maintain  a connection 
to  the  server  while  you  are  looking  at  a page.  Yu  may  never  come 
back  to  the  same  server  - or  it  may  be  a long  time  - or  it  may  be  one 
second  later 

So  we  need  a way  for  servers  to  know  “which  browser  is  this?” 

• In  the  browser  state  is  stored  in  “Cookies” 


• In  the  server  state  is  stored  in  “Sessions” 
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( Submit  ^ 


If  you  have  lost  your  password, 
membership@si539.com  to  ha\ 


University  of  Michigan  weblogin 


AUTHENTICATION  REQUIRED:: 

You  are  connecting  to  a U-M  website  that  requires 
authentication.  Please  enter  your  Login  ID  (uniqname  or 
Friend  ID)  and  password  to  continue. 

Need  a Login  ID? 

If  you  don't  have  a Login  ID,  you  can  create  one  now. 


Login  ID 
Password 
► MToken 

( Log  In  N 

Forgot  your  password? 

Login  Help 


Some  Web  sites  always  seem  to  want  to  know  who  you  are! 
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Other  Web  sites  always  seem  to  know  who  you  are! 
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How  you  see  YouTube... 
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How  YouTube  sees  you... 


Multi-User 


When  a server  is  interacting  with  many  different  browsers  at  the  same 
time,  the  server  needs  to  know  *which*  browser  a particular  request 
came  from 

Request  / Response  initially  was  stateless  - all  browsers  looked 
identical  - this  was  really  really  bad  and  did  not  last  very  long  at  all. 


Web  Cookies  to  the  Rescue 


Technically,  cookies  are  arbitrary  pieces  of  data  chosen  by  the  Web 
server  and  sent  to  the  browser.  The  browser  returns  them  unchanged  to 
the  server,  introducing  a state  (memory  of  previous  events)  into 
otherwise  stateless  HTTP  transactions.  Without  cookies,  each  retrieval 
of  a Web  page  or  component  of  a Web  page  is  an  isolated  event, 
mostly  unrelated  to  all  other  views  of  the  pages  of  the  same  site. 
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Cookies  In  the  Browser 


Cookies  are  marked  as  to  the  web  addresses  they  come  from  - the 
browser  only  sends  back  cookies  that  were  originally  set  by  the  same 
web  server 

Cookies  have  an  expiration  date  - some  last  for  years  - others  are 
short-term  and  go  away  as  soon  as  the  browser  is  closed 


Playing  with  Cookies 


Firefox  Developer  Plugin  has  a set  of  cookie  features 
Other  browsers  have  a way  to  view  or  change  cookies 
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Identifying  Individual  Users 
The  Web  is  “stateless” 

How  do  we  make  the  web  seem  not  to  be  stateless 


Request  Response  Again! 


HTTP  Request  / Response  Cycle 


(Review) 


Hello  there  my  name  is  Chuck 
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HTTP  Request  / Response  Cycle 


Web  Server 


GET  /index.html  HTTP/ 1. 1 
Accept:  www/source 
Accept:  text/html 
User-Agent:  Lynx/2.4 


Browser 


HTTP 

Request 


We  do  or  initial 
GET  to  a server.  The 
server  checks  to  see  if 
we  have  a cookie  with 
a particular  name  set. 
Since  this  our  first 
interaction,  we  have 
not  cookies  set  for  this 
host. 
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HTTP  Request  / Response  Cycle 


Along  with  the  rest  of 
the  response,  the 
server  sets  a cookie 
with  some  name 
(sessid)  and  sends  it 
back  along  with  the 
rest  of  the  response. 


Web  Server 


HTTP / 1 . 1 200  OK 
Content-type:  text/html 
Set-Cookie:  sessid=  1 23 

<head>  ..  </head> 
<body> 
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HTTP  Request  / Response  Cycle 
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host:  sessid=  1 23 


From  that  point 
forward,  each  time  we 
send  a GET  or  POST 
to  the  server,  we 
include  any  cookies 
which  were  set  by  that 
host. 
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HTTP  Request  / Response  Cycle 


On  each  response,  the 
server  can  change  a 
cookie  value  or  add 
another  cookie. 


Web  Server 


Browser 


host:  sessid=  1 2. 
host:name=chuck 


HTTP/I.I  200  OK 
Content-type:  text/html 
Set-Cookie:  name=chucl< 

<head>  ..  </head> 
<body> 

<h  I >Welcome  .... 


http://www.oreilly.com/openbook/cgi/ch04_02.html 


HTTP 

Response 


HTTP  Request  / Response  Cycle 
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From  that  point 
forward,  each  time  we 
send  a GET  or  POST 
to  the  server,  we 
include  all  the  cookies 
which  were  set  by  that 
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Security 


We  ony  send  cookies  back  to  the 
host  that  originally  set  the  cookie 

The  browser  has  *lots*  of  cookies 
for  lots  of  hosts 

To  ses  all  Cookies:  Firefox  -> 
Preferences  ->  Privacy  ->  Show 
Cookies 


The  following  cookies  are  stored  on  your  computer: 
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Two  Kinds  of  Cookies 


Two  kinds  of  cookie 

Long-lived  - who  you  are  - account  name  last  access  time  - you  can 
close  and  reopen  your  browser  and  it  is  still  there 

Temporary  - used  to  identify  your  session  - it  goes  away  when  you 
close  the  browser 
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Using  Cookies  to  Support  Sessions 

and  Login  / Logout 
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AUTHENTICATION  REQUIRED:: 

You  are  connecting  to  a U-M  website  that  requires 
authentication.  Please  enter  your  Login  ID  (uniqname  or 
Friend  ID)  and  password  to  continue. 

Need  a Login  ID? 

If  you  don't  have  a Login  ID,  you  can  create  one  now. 
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Forgot  your  password? 

Login  Help 


Some  Web  sites  always  seem  to  want  to  know  who  you  are! 


In  The  Server  - Sessions 


In  most  server  applications,  as  soon  as  we  meet  a new  browser  - we 
create  a session 

We  set  a session  cookie  to  be  stored  in  the  browser  which  indicates 
the  session  id  in  use 

The  creation  and  destruction  of  sessions  is  generally  handled  by  a web 
framework  or  some  utility  code  that  we  just  use  to  manage  the 
sessions 


Session  Identifier 


A large,  random  number  that  we  place  in  a browser  cookie  the  first 
time  we  encounter  a browser. 

This  number  is  used  to  pick  from  the  many  sessions  that  the  server 
has  active  at  any  one  time. 

Server  software  stores  data  in  the  session  which  it  wants  to  have  from 
one  request  to  another  from  the  same  browser. 

• Shopping  cart  or  login  information  is  stored  in  the  session  in  the 
server 
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but  are  not  yet 
logged  in. 
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Having  a session  is  not  the  same  as  being  logged  in. 

Generally  you  have  a session  the  instant  you  connect  to  a web  site 
The  Session  ID  cookie  is  set  when  the  first  page  is  delivered 
Login  puts  user  information  in  the  session  (stored  in  the  server) 
Logout  removes  user  information  from  the  session 
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Using  Sessions  for  Other  Stuff 
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High  Level  Summary 


The  web  is  “stateless”  - the  browser  does  not  maintain  a connection 
to  the  server  while  you  are  looking  at  a page.  Yu  may  never  come 
back  to  the  same  server  - or  it  may  be  a long  time  - or  it  may  be  one 
second  later 

So  we  need  a way  for  servers  to  know  “which  browser  is  this?” 

• In  the  browser  state  is  stored  in  “Cookies” 

• In  the  server  state  is  stored  in  “Sessions” 
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Cookie/Session  Summary 

Cookies  take  the  stateless  web  and  allow  servers  to  store  small 
“breadcrumbs”  in  each  browser. 

Session  IDs  are  large  random  numbers  stored  in  a cookie  and  used  to 
maintain  a session  on  the  server  for  each  of  the  browsers  connecting 
to  the  server 

Server  software  stores  sessions  *somewhere*  - each  time  a request 
comes  back  in,  the  right  session  is  retrieved  based  on  the  cookie 

Server  uses  the  session  as  a scratch  space  for  little  things 


